5.4.1.3 Ensure password expiration warning days is 7 or more - users

Information

Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.

Solution

Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>

See Also

https://workbench.cisecurity.org/files/1857

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-9(3), CSCv6|16

Plugin: Unix

Control ID: e9ca967a2b852778e8700776da557b8f974f5656f5b820b1fb61a022d453f8f8